Hi Rajith,
As of now, Ballerina doesn't support setting mutual SSL to 'optional'. It
only supports the 'require' option. With that, it requires client
certificate authentication. The connection will terminate if no suitable
client certificate is presented. So currently there is no way of doing
that. Better to create an issue to track this requirement.
Hi Chamindu,
If this is a valid requirement to set it to optional, we'll keep it in that
way. As we do not support it from Ballerina now, let's keep that option
disabled. So once the support is given from Ballerina, we can continue
using that option as well.
Thanks,
Bhashinee
On Mon, Oct 22, 2018 at 5:16 PM Chamindu Udakara <chami...@wso2.com> wrote:
> Hi Bhashinee Akka,
>
> It was a mistake to put that parameter value as "optional" since we are
> not providing optional support. I will change it as false or "not required".
>
> Thank You
>
> On Mon, Oct 22, 2018 at 3:07 PM Bhashinee Nirmali <bhashi...@wso2.com>
> wrote:
>
>> Hi Chamindu,
>>
>> On Mon, Oct 22, 2018 at 10:22 AM Chamindu Udakara <chami...@wso2.com>
>> wrote:
>>
>>>
>>>
>>>
>>> Hi All,
>>>
>>> The project I have chosen is Certificate based authentication for micro
>>> gateway.
>>>
>>> *Problem*
>>>
>>> -
>>>
>>> Micro-gateway does not have certificate based authentication or
>>> Mutual TLS establishment and micro-gateway can authenticate a request
>>> using
>>> OAuth2 token only. This is an overhead for trusted clients who are using
>>> this product because of the token generation and life cycle of OAuth2
>>> tokens.
>>>
>>> *Solution*
>>>
>>> -
>>>
>>> This project is carried out to overcome above limitation by
>>> providing Mutual TLS (Certificate based authentication) to micro-gateway.
>>>
>>>
>>> *Design *
>>>
>>>
>>> Configure mutualSSL feature at runtime level in configuration
>>>
>>>
>>>
>>> MutualSSL feature can be enabled for a micro-gateway after it was built
>>> by changing a property from “micro-gw.conf” file. There is a property as
>>> “sslVerifyClient” in this “micro-gw.conf” file under “[mtslConfig]”
>>> Instance ID. By default this value is set to “false”.
>>>
>>> When this,
>>>
>>> sslVerifyClient = “false”
>>>
>>> property is shows as above the micro-gateway will function as previous
>>> by using OAuth or JWT tokens as authentication.
>>>
>>> To enable mutualSSL in a micro-gateway user has to change this
>>> “sslVerifyClient” as follows,
>>>
>>> sslVerifyClient = “require”
>>>
>>> and user has to change KeyStore path and KeyStore password in this
>>> “micro-gw.conf” file. These “keyStore.path” property and
>>> “keyStore.password” property under “[listenerConfig]” instance ID has to be
>>> changed.
>>>
>>> By enabling this MutualSSL feature in micro-gateway authentication
>>> process is done in the transport layer and therefore OAUth headers or JWT
>>> token will not be needed for requests from trusted clients. If the
>>> mutualSSL is enable in the micro-gateway, “Authentication_Filter” and
>>> “Authorization_Filter” will be skipped by newly introduces
>>> “Mutual_SSL_Filter”. And the details needed for throttling also append by
>>> this “Mutual_SSL_Filter”. Then listener.bal file looks as follows,
>>>
>>>
>>> endpoint gateway:APIGatewaySecureListener apiSecureListener {
>>>
>>> port:9095,
>>>
>>> filters:[ mtslFilter, authnFilter, authorizationFilter,
>>> subscriptionFilter, throttleFilter, analyticsFilter, extensionFilter]
>>>
>>> };
>>>
>>>
>>> micro-gw.conf will change as follows,
>>>
>>>
>>>
>>>
>>>
>>>
>>> [mtslConfig]
>>> protocolName="TLS"
>>>
>>> protocolVersions=["TLSv1.2", "TLSv1.1"]
>>>
>>>
>>> ciphers=["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
>>>
>>> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
>>>
>>> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
>>> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA",
>>>
>>> "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
>>>
>>> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
>>>
>>> ,"TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
>>> "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","
>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
>>>
>>> ,"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA",
>>> "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","
>>> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
>>> "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA","
>>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV"]
>>>
>>>
>> I hope the above configurations(protocolName, protocolVersions,
>> ciphers) are not mandatory fields to enable mutual SSL. Because these are
>> not specific to mutual SSL. They can be configured in 1 way SSL as well. So
>> how about changing the name [mtslConfig] to [SslConfig]?
>>
>>
>>>
>>> sslVerifyClient="optional"
>>>
>>
>> What do you mean by setting sslVerifyClient="optional"? Does that mean
>> that you first check if the mutual SSL has succeeded and if it has
>> succeeded you skip OAuth or JWT tokens authentication and if mutual SSL
>> fails, you continue with OAuth or JWT tokens authentication as well?
>>
>>
>>
>>>
>>> Thank You
>>>
>>> --
>>> *Chamindu Udakara *
>>> *Software engineering Intern*
>>> WSO2 (University of Moratuwa)
>>> *mobile *: *+94 755285531* | *email *: cudak...@gmail.com
>>>
>>>
>>> --
>>> *Chamindu Udakara *
>>> *Software engineering Intern*
>>> WSO2 (University of Moratuwa)
>>> *mobile *: *+94 755285531* | *email *: cudak...@gmail.com
>>> _______________________________________________
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>> *Bhashinee Nirmali*
>> *Software Engineer*
>> *WSO2 Lanka (Private) Limited: **http://wso2.com
>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>*
>> *lean.enterprise.middle-ware*
>>
>>
>> *phone: (+94) 71 21 50003*
>> <http://wso2.com/signature>
>> _______________________________________________
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> *Chamindu Udakara *
> *Software engineering Intern*
> WSO2 (University of Moratuwa)
> *mobile *: *+94 755285531* | *email *: cudak...@gmail.com
>
--
*Bhashinee Nirmali*
*Software Engineer*
*WSO2 Lanka (Private) Limited: **http://wso2.com
<http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>*
*lean.enterprise.middle-ware*
*phone: (+94) 71 21 50003*
<http://wso2.com/signature>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
